UNC6692 Attack: New Threat Group Deploys Custom Malware Via Helpdesk Impersonation

Breaking: UNC6692 Campaign Targets Enterprise Users with Sophisticated Phishing

Google Threat Intelligence Group (GTIG) has identified a new threat group, UNC6692, that compromised networks through a multi-stage intrusion campaign combining persistent social engineering, a custom malware suite, and lateral movement. The attack, which began in late December 2025, relied on impersonating IT helpdesk employees via Microsoft Teams to trick victims into installing malicious software.

UNC6692 first overwhelmed targets with a large email campaign, creating urgency and confusion. The attacker then sent a phishing message through Microsoft Teams, posing as helpdesk staff offering assistance with the email volume. The victim was prompted to click a link to install a local “spam patch,” which instead downloaded a renamed AutoHotKey binary and script from an attacker-controlled AWS S3 bucket.

Infection Chain

Once the victim clicked the link, the browser opened an HTML page that fetched the malware from a URL resembling a Microsoft service update. The AutoHotKey binary automatically executed a script with the same filename, leading to initial reconnaissance and the installation of SNOWBELT—a malicious Chromium browser extension not distributed through the Chrome Web Store.

“UNC6692 demonstrates an evolution in social engineering tactics, exploiting inherent trust in enterprise collaboration tools,” said a GTIG analyst. “The use of AutoHotKey and a malicious browser extension allowed stealthy persistence and data collection.”

Persistence for SNOWBELT was established via a Windows Startup folder shortcut and a scheduled task. The AutoHotKey script verified the extension was running and launched a headless Edge browser instance with the extension loaded, enabling continued access.

Background

UNC6692 is a newly tracked threat group by GTIG, first observed in late 2025. The campaign reflects a broader trend of attackers leveraging social engineering to bypass technical defenses. Custom malware suites like the one used by UNC6692 are increasingly modular, allowing attackers to adapt to compromised environments.

“The multi-stage approach—overwhelming emails followed by targeted Teams messages—shows careful planning,” commented a cybersecurity expert from Mandiant. “It’s a reminder that even authorized communication channels can be weaponized.”

What This Means

Organizations must strengthen helpdesk verification processes and train employees to recognize social engineering attempts. The use of Microsoft Teams as an attack vector underscores the need for strict external chat policies and multi-factor authentication for all remote support interactions.

GTIG recommends monitoring for unusual AutoHotKey executions and unauthorized Chrome extensions. “No organization is immune to these targeted attacks,” the analyst added. “Vigilance and layered defenses remain critical.”

For more details, refer to the infection chain overview and GTIG’s full report.